Re: Single Sign On - from anywhere
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 26 Jan 2006 16:03:37 +0000 (UTC)
Hi,
as long as there are no revolutionary new plugins for non-IE browsers - SSO only works with IE.
That's the first important point.
The 2nd is, that for the delegation of credentials scenario you describe you need Kerberos authentication from Browser to Back-End Server (e.g. SQL Server).
Only IE can "speak" Kerberos and only is the client is logged on to the domain (= no external users). There are ways to "convert" a NTLM or basic auth to Kerberos, this has some pre-req, e.g. you need windows 2003 on your web server AND on ALL domain controllers.
read more here (essential!): http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx
At least one plugin i saw for FireFox allowed to store the credentials for the website on the client. (url / credentail pair). I would not recommend "simulating" your own Windows-Login, as you say this would involve storing the password somehow - and since "normal" auth is done in IIS and ASP.NET runs much later - you would also have to enable anonymous access for this approach to work.
or in other words - if the browser does not support it - you can't support it either.
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com
Hi;
Thanks for your answer. What I want is the browser talks to my ASP.NET app and my app gets the request, calls the business logic layer that then access the database as the user on the browser.
I want to do this (rather than a single connection for all users to the database) so that database access is limited to what that user has rights to. It removes my program from all the authorization issues and uses the authorizations already in existince for the user, their group memberships, and their rights in the database.
In terms of identifying the user, I prefer to not make them log in since they already logged in the Windows. I think what you are saying is this is only possible for IE.
When they do have to log in, I'd prefer that it is done in a way where my app never sees the password. Is that possible? Or do I need to do a form login and use the username/password to get their credentials?
Finally, what is the best way to handle repeated logins by someone who is not running IE from a system on the same domain? I could use a cookie to identify that they are back (if they select that option) and store their domain username/password in my DB - but that strikes me as a big security vulnerability as that data holds peoples username/password.
I could make them log in for each session, but that could honk people off as they are used to not having to re-enter each time.
??? - thanks - dave
"Dominick Baier [DevelopMentor]" wrote:
Hi,
what do you mean with access files, db etc - you mean via the browser interface? Are these resource local or remote to the web server
1) IE is the only browser that supports kerberos directly. There are NTLM plugins for Firefox and Mozilla, but AFAIK they don't provide seamless login (without providing credentials) 2) this could be done with NTLM or some other HTTP auth mechanism some points:
- for delegation to work you need kerberos end to end. Only IE supports Kerberos. IIS6 (in a W2k3 functionality level domain) supports transitioning between non-delegatable protocols like NTLM to Kerberos - you need SSL - regardless of the authentication technique --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.comHi;
I think this can be done. I want to be able to do the following: 1) User hits my ASP.NET app from a browser running on Windows XP, and there is a trust relationship between the domain they are logged in as on their workstation and the domain of the server I am running on -> I get their credentials with their not having to enter a username/password and I can then open files and access a database as them. Using any browser, not just IE. 2) They or on a workgroup (not domain) or on a system without a trust relationship, or on a non-Windows O/S, they are then prompted for their username/password on the domain my server is running on and once they enter it, I get their credentials, and I never see or touch their password. And again, I can then open files & access the database as them. Can this be done? And if so, any urls to a simple example?
.
- References:
- Re: Single Sign On - from anywhere
- From: David Thielen
- Re: Single Sign On - from anywhere
- Prev by Date: Re: WindowsPrincipal and aspnet user
- Next by Date: Re: Single Sign On - from anywhere
- Previous by thread: Re: Single Sign On - from anywhere
- Next by thread: Re: Single Sign On - from anywhere
- Index(es):
Relevant Pages
|
|
